Promisec's Watchful Eye
Spectator arrives with some network change management capabilities such as hardening registry values by controlling and reverting registry entries if unauthorized changes are made. If a malicious program tries to change registry values, Spectator will automatically change all the registry settings back. Spectator also supports Microsoft Windows Vista.
The tool complements also enterprise monitoring offerings. For instance, Spectator 3.1 integrates with Check Point's VPN-1 Pro and IBM Tivoli Monitoring.
Step 1: Installation
When downloading a Promisec evaluation, make sure to get a license key. The company does not have a standard time-based license for Spectator Professional on its Web site. The software works on Windows NT and above, so Channel Test Center engineers installed it on a Windows 2003 server. If .NET is not already installed the product installation will install .Net framework 2.0.
To gain remote access to endpoints, port 445 must be open for administrators. Remote Registry and file and print sharing must be active on all end points. RPC access also needs to be enabled.
Once installed, the software is simple to use if Active Directory is running on a domain. Spectator 3.1, however, does not support access to end points when running a Windows server in stand alone mode, unless the Spectator server and all end points have the same authentication credentials.
Engineers decided to use the agentless version of Spectator. However, engineers were running a stand-alone Windows 2003 server and were not able to scan any machines. Engineers received "access denied" messages even after matching authentication credentials. Engineers experimented with levels of access to remote shares but were not successful. Even with administrative privileges, engineers could not complete the scan. Apparently, authentication needed to be identical between server and end point.
While a full product user guide and installation guide are provided on the Web site and via a help menu, engineers could not find any information on how to connect and use credentials from an end point. This is completely missing from the documentation. Promisec states that most customers use Active Directory in the United States and stand-alone servers are rarely used.
However, Promisec agrees that many small customers do not use Active Directory, so it is making a new version available that is able to work with stand-alone servers. Engineers ended up downloading Spectator 3.2 Beta. Version 3.2 is able to use different authentication credentials. With the help of Promisec, engineers were able to quickly setup new usernames to log onto end points.
The new Spectator arrives with a Credentials Management feature that uses host credentials without having to access Active Directory.
The credentials have to be created in a group rather than individually, unless there's a single authentication credential being used on a network. The pane is a little confusing because administrators are given both options without a clear cut way of differentiating between adding single users and using credentials in a group. For some unexplained reason, engineers couldn't add one user at a time, instead using the group credential window to store the accounts.
NEXT: Prepping for the scan Step 2: Preparing to Scan End Points
On the left hand side of its workspace pane, Spectator displays all the machines that are being inspected. Spectator provides options for connection through single IPs, IP ranges and computer names. After selecting the machines, Spectator displays the items on the left pane. Because only individual end points are inspected, they appear on the left pane. Administrators can also import files with IP addresses.
To select users, administrators can either import host files from Active Directory or they can use a dynamic import that integrates with it. Every time Spectator runs automatically, it will contact Active Directory to collect new end points or those that have been switched off.
Spectator provides a single-run inspection or a loop inspection. The loop inspection scans end points on a continuous basis. Loop inspections can also run via intervals that can be set in the tools menu.
On the right pane, Spectator provides a database of programs and services it can scan. The database is listed by categories such as peer-to-peer applications, service packs, remote control applications and accessible hardware devices.
The inspections are listed alphabetically allowing administrators to quickly find the scanning options that are enabled and disabled. The scans are categorized, so administrators can work with them in groups. Engineers found the list of P2P applications comprehensive.
Promisec's research department constantly scours the Internet looking for new trends in each category. If an item is not listed in Spectator, administrators can customize it using a user defined module. The module allows administrators to type the name of any application and Spectator will look for it.
Spectator is able to identify Bluetooth, network, wireless and modem cards that are available. If the wireless cards have the same IP address as some network cards then administrators can know if the cards are used simultaneously. This feature can identify simultaneous connectivity between private and public networks. Administrators can see if intruders are trying to break down the barriers between private and public networks.
If an intrusion is detected, Spectator can shut down the service remotely. Spectator can also identify removable storage devices, even if it has been unplugged before a scan and has been taken out. If a device is brought back, Spectator is able to identify the device because it maintains a record of all connected devices. In addition, Spectator can identify any software that synchronizes with hardware devices, including music managers. Spectator can remove the drivers and service remotely for the devices. It is not, however, able to block access to the devices. If a company has standardized Blackberry devices, then administrators can turn off the scans for Blackberry devices.
Changes are made on the fly, so administrators do not need to make manual corrections. Applications that are not registered cannot be removed. Some new applications such as Skype VoIP software cannot be uninstall at this time.
Step 3: Analyzing Results
Any new services or hardware running that was not captured can easily be identified in a report. Spectator provides a list of online reports through XML and HTML. The online reports immediately reflect the changes whenever any changes are made to a configuration in Spectator. One of the reports provides the number of unidentified hosts and applications running on a network.